default certificate support #1779
Conversation
|
/cc @abhgupta |
pweil-
force-pushed
the
router-wildcard-cert
branch
from
de5657f to
4934f95
Compare
|
rebased. Looking for feedback on the approach since there is a known issue with update validation (or if I should just go ahead and throw an annotation on the route in this pr if that is the correct course of action) |
|
Assigned shard would be a field on route. before we do that we have to decide whether we want to bind routes to multiple shards or follow the pod model and require you to create multiple. As far as how the router stores and uses certs, we probably want to move (in time) to using a KUBECONFIG file or some other more formal config for the router. It's fine for now what you've done. |
|
ok, I will clean this up and prep it for merge then. Thank you. |
pweil-
force-pushed
the
router-wildcard-cert
branch
2 times, most recently
from
5ad2c45 to
44108ae
Compare
|
unit tests are in. For reviewers: the unit tests were in a non-table based implementation for TLS...coded by a 6 months younger and less wise pweil-. All the additions/deletions were from converting them to a single, table based test. The relevant test cases for wildcard certs are the last 4 in the table. |
|
LGTM but would like someone else to do sign off. |
|
@smarterclayton @pweil- Taking a look at it now |
|
LGTM - just had a minor question related to route validation during updates. I will try to ping you tomorrow for that. |
|
snag that I didn't catch, pkg/api/validation/validation.go ValidateObject (used by the SwaggerSchema from what my search turned up) calls a validate generically for all objects so it won't have the shard. I set it to nil, but I'm worried that I'm just digging a hole on that one. Should I just throw an annotation on the route? If I do I probably also need to refactor the rest implementation to use a strategy, it is still in the old format. |
|
|
I'm over thinking it. I can just do a fetch/carry over the annotation/update in the existing structure without moving to generic etcd. That allows me to correctly validate the update and set the validateRoute back to just taking a route. |
|
Quick question - why are we not using generic etcd here? :)
|
|
it is still in the original implementation format from ... September 2014. It has not been refactored. We should be using generic etd. |
|
Open a follow up then. ----- Original Message -----
|
|
A route should not require a shard to exist. |
|
Users will create a route that won't have a shard bound to it, then a shard will be bound. |
|
Right, what we need to do is move to a status/spec setup where a route can be failed post validation and maintain information about allocation. Then validation can be relaxed for the certificates and the shard allocation mechanism can figure out if it supports the route as a wildcard or not. I thought that would be a post 3.0 item though and we wanted wildcard certs before then. In that case, with the current setup, I can tell if a route is attempting to be a wild card route up front in the allocation (since we use a generic allocator 100% of the time). Is this a hold off item or are we just discussing future changes? Will open the refactor issue. |
pweil-
force-pushed
the
router-wildcard-cert
branch
from
abb4acb to
08880dd
Compare
|
Updated and [test] for good measure |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_openshift3/1899/) |
|
----- Original Message -----
Validation can't fail because shard hasn't been set. Validation can do more work if shard is set. But it can't fail.
|
|
But right now a shard is always set: https://github.com/openshift/origin/blob/master/pkg/route/registry/route/rest.go#L83 The current validation is: if you have a route with TLS term type of edge or reencrypt then it must have cert/key/cacert In this PR the validation would be: if you have a route with a TLS term type of edge or reencrypt that has no certificates set check to see if the shard suffix is the host suffix. If so, good route. I can remove the validation and add something to the plugin to filter routes when writing config, logging the reasons why. The plugin itself would know what the default cert is, perhaps it could parse and load it to get the hosts, check for a * and run the suffix check from there. At that point the dns suffix in the shard seems redundant. That does tie the plugin to PEM data, but we discussed that on the validation PR. If that's not good, what would be the preferred implementation? I feel like the more we move into the shard configuration stories the closer routers become to being resources that the server can interact with since the configuration of routes relies on the configuration of the router. Not saying they have to be, just saying they're closely tied when it comes to name generation and wild card certificates. |
|
I'm saying, the validation should not require a shard. If a particular validation needs a shard, make it conditional on the shard being set.
|
|
heh then I think we may be agreeing. Seriously not trying to be a pain in your ass, I promise 😈 for edge/reencrypt we check that you either have all the certs defined or are a wildcard: https://github.com/pweil-/origin/blob/router-wildcard-cert/pkg/route/api/validation/validation.go#L82 if you have any of the certs defined you should have them all: https://github.com/pweil-/origin/blob/router-wildcard-cert/pkg/route/api/validation/validation.go#L82 otherwise check if you may be a wild card route, if no shard is set you can't be a wildcard because we don't know the dns suffix that is supported by the shard: https://github.com/pweil-/origin/blob/router-wildcard-cert/pkg/route/api/validation/validation.go#L82 So you get an extra chance at being valid IF the shard is set |
A shard may not be set yet. Validate should allow us to set values that get resolved later for correctness. So validate shouldn't reject a configuration that might become valid once shard is set. |
|
Ok, well then here is how I see our options pre-spec/status implementation
Post spec/status implementation the route will be in Pending state, the shard allocation mechanism can validate and set the state to Allocated or Failed, the router only cares about Allocated routes Which option is suitable for now or is there another one I'm not thinking of? |
|
|
ok, on it. Thank you. |
pweil-
force-pushed
the
router-wildcard-cert
branch
from
08880dd to
71daa98
Compare
|
[test] |
|
I've removed the validation that required the ca/cert/key for edge and reencrypt routes. The router will now do a check to see if those certificates exist. If the router is configured with a default certificate then a V4 log message will be produced. If the router was not configured with a default cert then a Warning log message will be produced:
Two other changes:
@smarterclayton @abhgupta - Please take another pass |
pweil-
force-pushed
the
router-wildcard-cert
branch
from
71daa98 to
fb7b0c0
Compare
|
LGTM [merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_openshift3/1692/) (Image: devenv-fedora_1374) |
|
Evaluated for origin up to fb7b0c0 |
Merged by openshift-bot
…service-catalog/' changes from c3e3071633..231772fcc0 231772fcc0 origin build: add origin tooling 98af588 v0.1.11 release changes 01e2f90 v0.1.10 release changes 49af948 clear polling queue before starting new operation (openshift#1855) 252958e Refactor common serviceclass validations (openshift#1858) 68f55c6 Catalog Controller should listen on https and serve metrics over TLS secured channel (openshift#1851) 5d0f773 Refactor common broker validations (openshift#1865) eeaf285 Add NamespacedServiceBroker switch to helm chart (openshift#1864) d2c960c Add NamespacedServiceBroker Feature (openshift#1863) ef15310 Fix NamespaceScoped doc text for ns types (openshift#1862) 8d0a637 fix async deprovision retry (openshift#1832) a918a16 Update registry code from serviceclass to clusterserviceclass (openshift#1852) 4dfd13c Bump dependency on go-open-service-broker-client to 0.0.6 (openshift#1856) 958b7cd Rename SharedServicePlanSpec to CommonServicePlanSpec (openshift#1850) 426aec3 pick a better random port to listen on in integration tests (openshift#1844) 6a59ada OrphanMitigation condition and different handling of retry timeout (openshift#1789) c9b8f60 Extracting common broker spec elements into embeddable struct (openshift#1841) 3f8fab6 Extract common service class spec fields (openshift#1834) 93dab13 Support for OSB [PR#452](openservicebrokerapi/servicebroker#452). (openshift#1849) 5e1e90d [WIP] Pass correct plan ID in deprovision request (for both deleting and orphan mitigation) (openshift#1847) 74f73c0 disable tests for deployment stage (openshift#1845) 82fc6e4 Revert "Pass correct plan ID in deprovision request (for both deleting and orphan mitigation) (openshift#1803)" (openshift#1843) 94b5795 gitignore integration.test binary (openshift#1840) 014c468 Extracting common plan spec into embeddable struct (openshift#1833) 5d7041b Use k8s NewUUID method exclusively (openshift#1836) eac3f96 A new test was added after prechecks happened for last pr. (openshift#1838) 4b5d159 Pass correct plan ID in deprovision request (for both deleting and orphan mitigation) (openshift#1803) cc02f0e [svcat] Adding a filter to get plan. (openshift#1758) 70afb56 reset RemovedFromBroker flag on plans that are re-added by broker (openshift#1824) 712dd4a Add behavior to print deleted instance name (openshift#1806) 55505be Update catalog charts README configuration (openshift#1823) 6426c98 Controller reconciliation rework - part 2 (ServiceBinding) (openshift#1819) c606560 Integrate svcat docs with Service Catalog's (openshift#1784) e9aeeb0 Synchronize some generated code that was missed along the way (openshift#1801) a63ebf7 Fix failing test: TestReconcileServiceInstanceWithFailedCondition (openshift#1813) 07ef743 Controller reconciliation rework - part 1 (ServiceInstance) (openshift#1779) a7d602b Export the touch instance command (openshift#1809) bddb9a7 Allow retries for instances with Failed condition after spec changes (openshift#1751) a777af5 Add enhanced parameter options to provision (openshift#1785) fd1a0b9 Print deleted bindings (openshift#1799) 36d437a Adding the ability to sync a service instance (openshift#1762) 1f60676 Remove Failed condition if there was no terminal failure (openshift#1788) cd831de allow brokers to respond to getCatalog() with no services (openshift#1772) (openshift#1781) e5c37ad Add ObservedGeneration and Provisioned into ServiceInstanceStatus (openshift#1748) 9021d8b Add carolynvs to OWNERS (openshift#1780) b7643d6 Add all-namespaces flag to svcat (openshift#1782) 01e652f Use docker to interact with files made by docker (openshift#1777) REVERT: c3e3071633 origin build: add origin tooling git-subtree-dir: cmd/service-catalog/go/src/github.com/kubernetes-incubator/service-catalog git-subtree-split: 231772fcc00be08b6b2665a39c4a3bacb0b2271f
…service-catalog/' changes from c3e3071633..231772fcc0 231772fcc0 origin build: add origin tooling 98af588 v0.1.11 release changes 01e2f90 v0.1.10 release changes 49af948 clear polling queue before starting new operation (openshift#1855) 252958e Refactor common serviceclass validations (openshift#1858) 68f55c6 Catalog Controller should listen on https and serve metrics over TLS secured channel (openshift#1851) 5d0f773 Refactor common broker validations (openshift#1865) eeaf285 Add NamespacedServiceBroker switch to helm chart (openshift#1864) d2c960c Add NamespacedServiceBroker Feature (openshift#1863) ef15310 Fix NamespaceScoped doc text for ns types (openshift#1862) 8d0a637 fix async deprovision retry (openshift#1832) a918a16 Update registry code from serviceclass to clusterserviceclass (openshift#1852) 4dfd13c Bump dependency on go-open-service-broker-client to 0.0.6 (openshift#1856) 958b7cd Rename SharedServicePlanSpec to CommonServicePlanSpec (openshift#1850) 426aec3 pick a better random port to listen on in integration tests (openshift#1844) 6a59ada OrphanMitigation condition and different handling of retry timeout (openshift#1789) c9b8f60 Extracting common broker spec elements into embeddable struct (openshift#1841) 3f8fab6 Extract common service class spec fields (openshift#1834) 93dab13 Support for OSB [PR#452](openservicebrokerapi/servicebroker#452). (openshift#1849) 5e1e90d [WIP] Pass correct plan ID in deprovision request (for both deleting and orphan mitigation) (openshift#1847) 74f73c0 disable tests for deployment stage (openshift#1845) 82fc6e4 Revert "Pass correct plan ID in deprovision request (for both deleting and orphan mitigation) (openshift#1803)" (openshift#1843) 94b5795 gitignore integration.test binary (openshift#1840) 014c468 Extracting common plan spec into embeddable struct (openshift#1833) 5d7041b Use k8s NewUUID method exclusively (openshift#1836) eac3f96 A new test was added after prechecks happened for last pr. (openshift#1838) 4b5d159 Pass correct plan ID in deprovision request (for both deleting and orphan mitigation) (openshift#1803) cc02f0e [svcat] Adding a filter to get plan. (openshift#1758) 70afb56 reset RemovedFromBroker flag on plans that are re-added by broker (openshift#1824) 712dd4a Add behavior to print deleted instance name (openshift#1806) 55505be Update catalog charts README configuration (openshift#1823) 6426c98 Controller reconciliation rework - part 2 (ServiceBinding) (openshift#1819) c606560 Integrate svcat docs with Service Catalog's (openshift#1784) e9aeeb0 Synchronize some generated code that was missed along the way (openshift#1801) a63ebf7 Fix failing test: TestReconcileServiceInstanceWithFailedCondition (openshift#1813) 07ef743 Controller reconciliation rework - part 1 (ServiceInstance) (openshift#1779) a7d602b Export the touch instance command (openshift#1809) bddb9a7 Allow retries for instances with Failed condition after spec changes (openshift#1751) a777af5 Add enhanced parameter options to provision (openshift#1785) fd1a0b9 Print deleted bindings (openshift#1799) 36d437a Adding the ability to sync a service instance (openshift#1762) 1f60676 Remove Failed condition if there was no terminal failure (openshift#1788) cd831de allow brokers to respond to getCatalog() with no services (openshift#1772) (openshift#1781) e5c37ad Add ObservedGeneration and Provisioned into ServiceInstanceStatus (openshift#1748) 9021d8b Add carolynvs to OWNERS (openshift#1780) b7643d6 Add all-namespaces flag to svcat (openshift#1782) 01e652f Use docker to interact with files made by docker (openshift#1777) REVERT: c3e3071633 origin build: add origin tooling git-subtree-dir: cmd/service-catalog/go/src/github.com/kubernetes-incubator/service-catalog git-subtree-split: 231772fcc00be08b6b2665a39c4a3bacb0b2271f
This pr contains the ability to specify a default certificate for a router in order to support wild card certificates.
Included:
--default-cert=/path/to/filecrtdirective to add the default cert if available. It will still use the dummy pem file in the non-sni backend if no default cert is found. In the SNI end it will resort to the configured directoryDefaultCertificateandStateIssue: for updates we don't allocate the shard. Right now I short circuit for a nil shard so an error condition exists for an update where tls is removed, term is still set to edge/reencrypt. I assume at some point we'll want to store the shard configuration somewhere and be able to retrieve it via an annotation on the route.
If this looks good I'll wrap up the unit tests tomorrow.
@ramr @rajatchopra @smarterclayton PTAL